Advice goes beyond the provision of product information and relates specifically to the provision of a personalised recommendation on a product in relation to the disclosed needs of the customer.  

The insurer or the intermediary should make it clear to the customer whether advice is provided or not. 

• financial knowledge and experience;
• needs, priorities and circumstances;
• ability to afford the product; and
• risk profile.

The supervisor may wish to specify particular types of policies or customers for which advice is not required to be given. Typically, this may include simple to understand products, products sold to customer groups that have expert knowledge of the type of product or, where relevant, mandated coverage for which there are no options. Even if no advice is given the supervisor may require the insurer or intermediary to take into account the nature of the product and the customer’s disclosed circumstances and demands and needs. 

In cases where advice would normally be expected, such as complex or investment-related products, and the customer chooses not to receive advice, it is advisable that the insurer or intermediary retains an acknowledgment by the customer to this effect.  

The basis on which a recommendation is made should be explained and documented, particularly in the case of complex products and products with an investment element. All advice should be communicated in a clear and accurate manner, comprehensible to the customer. Where advice is provided, this should be communicated to the customer in written format, on paper or in a durable and accessible medium, and a record kept in a “client file”.  

The insurer or intermediary should retain sufficient documentation to demonstrate that the advice provided was appropriate, taking into account the customer’s disclosed circumstances. 

In addition, insurers and intermediaries should review the “client files” of those under their responsibility to exercise control after the fact on the quality of the advice given, take any necessary remedial measures with respect to the delivery of advice and, if applicable, be in a position to examine fairly any complaints submitted to it. 

• keep abreast of market trends, economic conditions, innovations and modifications made to the products and services;
• maintain an appropriate level of knowledge about their industry segment, including the characteristics and risks of the products and services;
• know the applicable legal and regulatory requirements;
• know the requirements for the communication of information regarding the products and services and for appropriate disclosure of any situation liable to compromise the impartiality of the advice given or limit such advice; and
• be familiar with the documentation regarding the products and services and answer reasonably foreseeable questions.

Insurers and intermediaries collect, hold, use or communicate to third parties information on their customers in the course of their business. It is important that they have in place policies and processes on the appropriate use and, in the case of personal information, the privacy of such data. 

Significant amounts of the information collected, held or processed represent customers’ financial, medical and other personal information. Security over such information is extremely important, regardless of the format of the information (eg whether physical or electronic). Hence safeguarding personal information on customers is one of the key responsibilities of the financial services industry. 

Legislation identifies the provisions relating to privacy protection under which insurers and intermediaries are allowed to collect, hold, use or communicate personal information on customers to third parties. Generally, the legislation also identifies who is the competent authority. 

Although data protection laws vary from jurisdiction to jurisdiction, insurers and intermediaries should have a clear responsibility to provide their customers with a level of comfort regarding the security of their personal information.

• ensuring that the Board and Senior Management are aware of the challenges relating to protecting the privacy of personal information on customers;
• demonstrating that privacy protection is part of the organisation’s culture and strategy, through measures such as training to employees that promotes awareness of internal and external requirements on this subject;
• implementing policies, procedures and internal control mechanisms that support the objectives of protecting the privacy of personal information on customers and assess the risks associated with potential failure to protect the privacy of personal information;
• assessing the potential impact of new and emerging risks that could threaten the privacy of personal information, such as the risk of cyber attacks, and taking appropriate steps to mitigate these through measures such as internal controls, technology and training; and
• determining the response measures that may be needed where a failure to protect the privacy of personal information occurs, including matters such as timely notification to affected customers and competent authorities.

Insurers and intermediaries use personal and other information on customers for a variety of purposes within the course of business that include, amongst other things, product development, marketing, product pricing, and claims management. 

Insurers and intermediaries should be aware of outsourcing risk, especially when the outsourcing agreement is reached with firms in another jurisdiction. Insurers and intermediaries should ensure that the firms to which they outsource processes have adequate policies and processes in place for the protection and use of private information on customers they have in their records.  

All the necessary data required in the event of restructuring, resolution and liquidation should, subject to data protection requirements, be accessible and readable at the insurer’s or intermediary’s domicile at any time. This includes all customer-related data, such as claims and policy data.